#12608 closed enhancement (fixed)
VirtualBox Solaris kernel modules are not signed
| Reported by: | Dan A. | Owned by: | |
|---|---|---|---|
| Component: | installer | Version: | VirtualBox 4.3.6 |
| Keywords: | signing, elfsign | Cc: | |
| Guest type: | other | Host type: | Solaris |
Description (last modified by )
VirtualBox Solaris kernel modules are not signed with elfsign(1):
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.
In a future version of Solaris, a warning message may be generated for unsigned modules.
Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs. An official CA-issued cert would be better.
$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \
keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \
subject="O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org"
$ su
# cp virtualbox.pem /etc/certs
$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet
elfsign: vboxnet signed successfully.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.
$ elfsign verify -v vboxnet
elfsign: verification of vboxnet passed.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.
Change History (9)
comment:1 by , 11 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 11 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 11 years ago
| Cc: | removed |
|---|
comment:4 by , 9 years ago
As a data point, this error is still present with VirtualBox 5.0.14 installed on a VirtualBox host running Solaris 11.3 (January 2016).
comment:5 by , 9 years ago
danxyz, all VBox 5.0.x kernel modules are signed on Solaris. Please provide the output of the tool you used to check if the modules are signed or not.
comment:7 by , 9 years ago
The most recent 5.0.x Solaris test build should have the modules properly signed. Could you confirm?
comment:9 by , 7 years ago
Thanks! Yes, it works now on Oracle Solaris 12 (I confirmed in 2016). Sorry for the late reply. I forgot my old login password, and was since RIFed from Oracle when Solaris kernel development was EOLed :-(.
- danxyz (now danxyz2)
We'll look into this... if it's not much work and if it turns out that Solaris accepts Windows driver signing certs (one of those super expensive special code signing certs we have to have) then it might be possible to get this into the next major release. BTW, we also listen on the internal Oracle bug tracking tools ;)